Sobig Virus Picks Up Steam

A new virus, known as Sobig, is spreading rapidly on the Internet, infecting machines worldwide.

After taking most of 2002 off, the worlds virus writers seem to be making up for lost time in the early part of 2003.

A new virus, known as Sobig, is spreading rapidly on the Internet, infecting machines worldwide. The virus, which attacks Windows machines running Microsoft Corp.s Outlook e-mail client, was first seen late last week but has since picked up considerable steam.

Although its momentum has slowed somewhat, the worm that has been flooding inboxes all week is still spreading fairly rapidly. Sobig is the latest in a series of recent mass-mailers and seems set to continue wreaking havoc over the long holiday weekend. By Friday afternoon, MessageLabs Ltd., a British MSP that tracks viruses, had stopped more than 62,000 copies of Sobig and was still seeing as many as 7,000 a day.

Not much is known about the virus at this point, but it seems to be a mass-mailing worm that behaves much like the Lirva worm that began spreading last week. It arrives via e-mail, always in a message from the address and carrying one of four subject lines:

Re: Movies
Re: Document
Re: here is that sample
Re: Sample

The message also includes an attachment, whose filename could include Document003.pif, Sample.pif, Movie_0074.mpeg.pif and Untitled1.pif, according to MessageLabs analysis of the virus. Sobig uses its own SMTP (simple mail transfer protocol) engine to mail copies of itself to addresses that it finds on the infected machines hard drive and e-mail address book. The virus also copies itself to two shared folders on shared network drives.

Sobig then downloads from a Geocities site a file that contains a link to another file located elsewhere on the Internet. The worm downloads this second file and executes it on the infected machine. Its unclear what the file does.

Anti-virus vendor Trend Micro Inc. said the worm may also send an e-mail to its creator, notifying him of which machines are infected.